Thieves rig Barnes & Noble PIN pads to steal credit card data

Thieves rigged point-of-sale PIN pads at 63 US Barnes & Noble stores to hijack credit and debit card information and PINs when customers swiped their cards to make purchases, the book seller said on Wednesday.

Customers who have used their cards at affected PIN pads as recently as September may have had their accounts compromised and should check their statements for unauthorised transactions, the retailer said.

Even though its internal investigation revealed that only 1% of devices had been infected with the hacker-planted bug, Barnes & Noble disconnected all of its 7,000 PIN pads in stores nationwide by the close of business on 14 September.

CNet reports that the retailer kept the breach hush-hush until now to give the FBI time to track the hackers.

500,000 Australian credit cards stolen by what police believe are the same Subway gang.

As Verizon pointed out in its 2012 Data Breach Investigations Report, weak, guessable or default credentials make point-of-sale systems easy to exploit, sometimes through third-party systems.

Barnes and Noble is recommending that customers who believe they may have been affected take these steps:

Change the PIN numbers on your debit cards

Review accounts for unauthorized transactions

Notify banks immediately if you discover any unauthorized purchases or withdrawals

Review credit card statements for any unauthorized transactions

Notify credit card-issuing banks if you discover any unauthorized purchases or cash advances.

Disgruntled customers who have to deal with this rigamarole might well ask why Barnes & Noble didn't warn them as soon as the breach was discovered, but it's clear that investigators requested no publicity to give them time to sniff out the perpetrators of the crime, which the book seller called a "sophisticated criminal effort."

It would be nice if we could trust large retailers like B&N to have secure payment processing systems, but we can't.

That means all we can do is keep an eagle eye on our credit card and debit card statements.

Or then again, we can just pay with cash, antiquated notion that it is.

This is the second time this has happened with B&N pay point systems. A quick internet search turns up another incident from five years ago. Ironically, the only thing I ever wander into a B&N for is to pick up a copy of the latest 2600.

my local B&N had told us that the pinpads were so old & unreliable that they had been removed from service. So,.... B&N not only delayed/sat on this, but they also lied to us as well....guess maybe its time to switch back to amazon

As a naked security follower, I am extremely careful online with passwords and credit card information. I was recently a victim of identity theft in early October. I couldn't understand how somebody in a state across the country was purchasing stuff on my dime while I was running around trying to make what little money I can. Luckily my bank notified me but the thieves had already drained my bank account. I have never been through this before but all I can say is that it is a nightmare. I shop or just browse Barnes and Noble frequently and am almost sure this is how this happened. I understand that they are trying to investigate the situation, but you think that in respect to their customers they could at least warn them before it's too late! I guess in this day and age, it's every man for themselves. Be careful out there.

I think B&N was under a "gag order" from the FBI not to release any information. Why isn't anyone blaming the criminals? They are certainly much smarter than any retailer! I think it was smart of BN to shut down 7,000 pinpads for their customer's sake.

can someone tell me if thieves have to physically handle the pin pads or are they compromised electronically? I can't understand how a so many clerks could not notice strange behavior, not can I understand why thieves would randomly select such a small percentage of available pads if they had access over the internet.

This is a constant battle, set to get worse before it gets better, Online business is growing and security holes are constantly found and patched.,
users must be constantly aware of threats that are in the public domain.

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.